[ale] Its over. Maybe
Jim Popovitch
jimpop at yahoo.com
Fri Nov 5 14:48:34 EST 2004
On Fri, 2004-11-05 at 13:36 -0500, Geoffrey wrote:
> The independent review identified problems with the system. Let me be
> clear. An independent review where identified issues are addressed.
The SAIC report DID identify and address the issues. I've ccp'ed the
text below so that you don't have to go find it again. I encourage you
and everyone else to read this short executive overview so that you
fully understand what SAIC had to say.
To me, it seems quite clear that SAIC did a complete examination and
provided a lengthy list of implementation recommendations that DO
address the identified issues. I ask once again, What more could you
want?
-Jim P.
----
Portions copied from:
http://www.dbm.maryland.gov/dbm_publishing/public_content/dbm_search/technology/toc_voting_system_report/votingsystemreportfinal.pdf
This Risk Assessment has identified several high-risk vulnerabilities in
the implementation of the managerial, operational, and technical
controls for AccuVote-TS voting system. If these vulnerabilities are
exploited, significant impact could occur on the accuracy, integrity,
and availability of election results. In addition, successful
exploitation of these vulnerabilities could also damage the reputation
and interests of the SBE and the LBEs. This Risk Assessment also
identified numerous vulnerabilities with a risk rating of medium and low
that may have an impact upon AccuVote-TS voting if exploited.
This assessment of the current security controls within the AccuVote-TS
voting system is dependent upon the system being isolated from any
network connections. If any of the AccuVote-TS voting system components,
as presently configured and architected, were connected to a network,
the risk rating would immediately be raised to high for several of the
identified vulnerabilities. SAIC recommends that a new risk assessment
be performed prior to the implementation of a major change to the
AccuVote-TS voting system. Additionally, SAIC recommends a similar
assessment to be performed at least every three years, regardless of
system modification.
We recommend that SBE immediately implement the following mitigation
strategies to address the identified risks with a rating of high:
- Bring the AccuVote-TS voting system into compliance with the State of
Maryland Information Security Policy and Standards.
- Consider the creation of a Chief Information Systems Security Officer
(CISSO) position at SBE. This individual would be responsible for the
secure operations of the AccuVote-TS voting system.
- Develop a formal, documented, complete, and integrated set of standard
policies and procedures. Apply these standard policies and procedures
consistently through the LBEs in all jurisdictions.
- Create a formal, System Security Plan. The plan should be consistent
with the State of Maryland Information Security Policy and Standards,
Code of Maryland Regulations (COMAR), Federal Election Commission (FEC)
standards, and industry best practices.
- Apply cryptographic protocols to protect transmission of vote tallies.
- Require 100 percent verification of results transmitted to the media
through separate count of PCMCIA cards containing the original votes
cast.
- Establish a formal process requiring the review of audit trails at
both the application and operating system levels.
- Provide formal information security awareness, training, and education
program appropriate to each user's level of access.
- Review any system modifications through a formal, documented, risk
assessment process to ensure that changes do not negate existing
security controls. Perform a formal risk assessment following any major
system modifications, or at least every three years.
- Implement a formal, documented process to detect and respond to
unauthorized transaction attempts by authorized and/or unauthorized
users.
- Establish a formal, documented set of procedures describing how the
general support system identifies access to the system.
- Change default passwords and passwords printed in documentation
immediately.
More information about the Ale
mailing list